Virtual machine exit analyzer

ABSTRACT

Technologies are generally described for systems, devices and methods effective to implement a virtual machine exit analyzer. A virtual machine handler may receive a request that includes an instruction. The instruction may include a port and a data block identifier. The virtual machine handler may generate a modified request. The modified request may include the port, a block portion identifier and an identification of a comparator. The virtual machine handler may send values identified by the block portion identifier to the comparator. The virtual machine handler may receive an exit indicator from the comparator that indicates whether the virtual machine should exit the core.

BACKGROUND

Unless otherwise indicated herein, the materials described in thissection are not prior art to the claims in this application and are notadmitted to be prior art by inclusion in this section.

One or more virtual machines may be executed by a processor. A virtualmachine may be a software instantiation of a computing environment oroperating system. Virtual machines may emulate the architecture and orthe functions of a physical machine A request for execution of certaininstructions by a virtual machine may result in the processor stoppingexecution of the virtual machine, or a virtual machine exit.

SUMMARY

In one example, methods for determining whether a virtual machine beingexecuted by a core should exit the core are generally described. Themethods may include receiving a request by a virtual machine handler.The request may include an instruction. The instruction may include aport and a data block identifier. The methods may further includegenerating a modified request. The modified request may include theport, a block portion identifier and an identification of a comparator.The methods may further include sending values identified by the blockportion identifier to the comparator. The methods may further includereceiving an exit indicator from the comparator. The exit indicator mayindicate whether the virtual machine should exit the core.

In one example, methods for determining whether a virtual machine beingexecuted by a core should exit the core are generally described. Themethods may include, by a virtual machine handler, receiving a requestby the virtual machine The request may include an instruction. Theinstruction may include a port and a data block identifier. The methodsmay further include, by the virtual machine handler, generating amodified request. The modified request may include the port, a blockportion identifier and an identification of a comparator. The methodsmay further include, by the virtual machine handler, sending valuesidentified by the block portion identifier to the comparator. Themethods may further include, by a comparator, comparing the valuesidentified by the block portion identifier with a list of allowedvalues. The methods may further include, by the comparator, generatingan exit indicator. The exit indicator may indicate that the virtualmachine should not exit the core when the values identified by the blockportion identifier matches the allowed values. The methods may furtherinclude, by the comparator, sending the exit indicator to the virtualmachine handler. The methods may further include, by the virtual machinehandler, receiving the exit indicator from the comparator.

In one example, processors are generally described. The processors mayinclude a core. The core may include a virtual machine handler. The coremay be effective to execute a virtual machine The processors may furtherinclude a buffer. The virtual machine handler may be effective toreceive a request that relates to an instruction. The instruction mayinclude a port and a data block identifier. The virtual machine handlermay be further effective to store the instruction in the buffer. Thevirtual machine handler may be further effective to generate a modifiedrequest. The modified request may include the port, a block portionidentifier and an identification of a comparator. The virtual machinehandler may be further effective to send values identified by the blockportion identifier to the comparator. The virtual machine handler may befurther effective to receive an exit indicator from the comparator. Theexit indicator may indicate whether the virtual machine should exit thecore.

In one example, methods for a virtual machine manager to program avirtualization hardware to determine whether a virtual machine shouldexit a core are generally described. The methods may include instructinga virtual machine handler to receive a request by a virtual machinemanager. The request may relate to an instruction. The instruction mayinclude a port and a data block identifier. The methods may furtherinclude instructing the virtual machine handler to generate a modifiedrequest. The modified request may include the port, a block portionidentifier and an identification of a comparator. The methods mayfurther include instructing the virtual machine handler to send valuesidentified by the block portion identifier to the comparator. Themethods may further include instructing the virtual machine handler toreceive an exit indicator from the comparator. The exit indicator mayindicate whether the virtual machine should exit the core.

The foregoing summary is illustrative only and is not intended to be inany way limiting. In addition to the illustrative aspects, embodiments,and features described above, further aspects, embodiments, and featureswill become apparent by reference to the drawings and the followingdetailed description.

BRIEF DESCRIPTION OF THE FIGURES

The foregoing and other features of this disclosure will become morefully apparent from the following description and appended claims, takenin conjunction with the accompanying drawings. Understanding that thesedrawings depict only several embodiments in accordance with thedisclosure and are, therefore, not to be considered limiting of itsscope, the disclosure will be described with additional specificity anddetail through use of the accompanying drawings, in which:

FIG. 1 illustrates an example system that can be utilized to implement avirtual machine exit analyzer;

FIG. 2 depicts the example system of FIG. 1 illustrating additionaldetails relating to an exit analyzer;

FIG. 3 depicts a flow diagram for an example process to implement avirtual machine exit analyzer;

FIG. 4 illustrates an example computer program product that can beutilized to implement a virtual machine exit analyzer; and

FIG. 5 is a block diagram illustrating an example computing device thatis arranged to implement a virtual machine exit analyzer; all arrangedaccording to at least some embodiments described herein.

DETAILED DESCRIPTION

In the following detailed description, reference is made to theaccompanying drawings, which form a part hereof In the drawings, similarsymbols typically identify similar components, unless context dictatesotherwise. The illustrative embodiments described in the detaileddescription, figures, and claims are not meant to be limiting. Otherembodiments may be utilized, and other changes may be made, withoutdeparting from the spirit or scope of the subject matter presentedherein. The aspects of the present disclosure, as generally describedherein, and illustrated in the figures, can be arranged, substituted,combined, separated, and designed in a wide variety of differentconfigurations, all of which are explicitly contemplated herein.

This disclosure is generally drawn to, inter alia, methods, apparatus,systems, devices, and computer program products related to a virtualmachine exit analyzer.

Briefly stated, technologies are generally described for systems,devices and methods effective to implement a virtual machine exitanalyzer. A virtual machine handler may receive a request that includesan instruction. The instruction may include a port and a data blockidentifier. The virtual machine handler may generate a modified request.The modified request may include the port, a block portion identifierand an identification of a comparator. The virtual machine handler maysend values identified by the block portion identifier to thecomparator. The virtual machine handler may receive an exit indicatorfrom the comparator that indicates whether the virtual machine shouldexit the core.

FIG. 1 illustrates an example system that can be utilized to implement avirtual machine exit analyzer in accordance with at least someembodiments described herein. An example system 100 may include aprocessor 102. Processor 102 may include one or more cores 104. Core 104may execute one or more virtual machines 110. A virtual machine may be,for example, a software instantiation of a computing environment.Virtual machines may be based on specifications of a hypotheticalcomputing environment or emulate computer architecture and functions ofa physical computer. Virtual machine 110 may execute one or moreinstructions. Processor 102 may include one or more virtual machinemanagers 120. Virtual machine manager 120 may be, for example, hardwareand/or some combination of hardware and instructions executable on thehardware and may be used to instantiate and/or control virtual machines110. In examples where virtual machine manager 120 includes executableinstructions, core 104 may execute virtual machine manager 120.Processor 102 may include one or more virtual machine handlers (“VMHandler”) 114. Virtual machine handler 114 may be hardware inside oroutside of core 104 and may monitor instructions requested to beexecuted by virtual machine 110. Virtual machine handler 114 may beconfigured to store control data related to instructions executed byvirtual machine 110. Virtual machine handler 114 may receive and trapcertain instructions executed by virtual machine 110 relating to ports124 of processor 102. Virtual machine handler 114 may be controlled byvirtual machine manager 120.

Virtual machine handler 114 may include one or more virtual machineexecution control tables 116 and/or one or more virtual machine exitcheck tables 118. Virtual machine execution control table 116 andvirtual machine exit check table 118 may be data structures stored in amemory associated with virtual machine handler 114, such as in a cacheor in one or more registers or main memory. A request 108 may begenerated by virtual machine 110. Request 108 may be a request toexecute certain instructions. Example requests may include requestingaccess to input data to, or receive data from, a particular port 124 ofprocessor 102.

As will be discussed in more detail below, exit analyzer 106 may be usedto produce an exit indicator 112. In brief, request 108 may be trappedby virtual machine handler 114. Virtual machine handler 114 may comparerequest 108 with data in virtual machine execution control table 116 andvirtual machine execution check table 118. In response to the analysis,virtual machine handler 114 may generate and send a modified request 122to exit analyzer 106. Exit analyzer 106 may include a comparator 107.Exit analyzer 106 may compare the values identified in modified request122 with a list 126 of allowed values using the identified comparator107. Allowed values may be, for example, a list of allowed networkaddresses or a list of data and/or data structures which may be allowedto be written to a port. In response to the analysis, exit analyzer 106may generate exit indicator 112. Exit indicator 112 may be a Booleanvalue that indicates whether virtual machine 110 should exit core 104.The values identified in modified request 122 may be, for example,related to a request to send data to a particular network address. Inanother example, the values in modified request 122 may be related to arequest to store particular content such as a credit card number or asocial security number in a digital loss prevention scenario.

FIG. 2 illustrates the example system of FIG. 1 with additional detailsrelating to the exit analyzer arranged in accordance with at least someembodiments described herein. Those components in FIG. 2 that arelabeled identically to components of FIG. 1 will not be described againfor the purposes of clarity and brevity.

In examples where virtual machine 110 generates request 108, instruction252 relating to request 108 may be stored in a buffer 222. For example,instruction 252 may include a requested port 254, and a data blockidentifier 256. Data block identifier 256 may include a pointer to anaddress in a memory and a byte count. In an example, values identifiedby data block identifier 256 may include a network address. In anotherexample, values identified by data block identifier 256 may includecontent requested to be written through requested port 254. Virtualmachine handler 114 may compare request 108 with data in virtual machineexecution table 116. Virtual machine execution table 116 may, forexample, define situations where request 108 should be trapped andfurther analyzed to determine whether virtual machine 110 should exitcore 104. For example, virtual machine execution table 116 may be atable including a bit position field 264, a name field 266, and/or adescription field 268. Bit position field 264 may correspond to bitparity values in a register such as whether a particular exit analysisis enabled or disabled. Name field 266 may indicate a name of the exitanalysis. Description field 268 may indicate a description of the exitanalysis.

In the example illustrated, in bit position “24”, an “Unconditional I/OExiting” exit analysis may be selectively enabled. In such an exitanalysis, any input or output instruction may cause a virtual machine toexit core 104 (“I/O instructions cause an exit”). In bit position “26”,an “I/O Exit with checking” exit analysis may be selectively enabled. Insuch an exit analysis, any input and/or output request may be comparedwith exit check table 118 (“Consult VM exit check table”).

Virtual machine exit check table 118 may include a port field 258, anFSA field 260 and/or a block portion identifier (“ID”) field 262. Datain virtual machine exit table 118 may be populated by virtual machinemanager 120. Port field 258 may identify values for ports 254 that maybe requested in instruction 252. FSA field 260 may identify a comparatoror a finite state automata engine associated with the port in port field258. Block portion ID field 262 may include a block portion ID 263.Block portion ID 263 may include an offset, and a byte count. The offsetmay indicate a beginning location of values to be compared. The bytecount may indicate a number of bytes to be compared starting from theoffset. Block portion ID 263 may be used to locate a subset of valuesidentified by data block identifier 256 of instruction 252. Valuesidentified by block portion ID 263 may be compared at one or morecomparators identified by FSA field 260. In the example illustrated, ifinstruction 252 identifies port “7”, FSA 234 may be associated with thatport and offset FFF plus the byte count of block portion ID 263 may beused to locate a portion of values identified by data block identifier256 of instruction 252.

Exit analyzer 106 may include one or more comparators 107 such as finitestate automata devices (“FSA”) 234, 236, 238. Finite state automatadevices 234, 236 and 238 may be, for example, comparators, or finitestate machines configured to compare two or more values. Examples ofcomparators may include, hardware finite automata, (field programmablegate arrays) FPGAs, (application specific integrated circuits) ASICs orother analyzers. FSAs 234, 236, 238 may be associated with respectivememory addresses 240, 242, 244 in a memory 232 such as by virtualmachine manager 120. In an example, memory 232 may be part of exitanalyzer 106 and/or part of one or more FSAs 234, 236, 238. In anexample, FSAs 234, 236, 238 may be associated with memory addresses 240,242, 244 by virtual machine manager 120, a virtual machine managerplug-in and/or a user.

At memory address 240 may be stored a list 246 relating to FSA 234. Atmemory address 242 may be stored a list 248 relating to FSA 236. Atmemory address 244 may be stored a list 250 relating to FSA 238. Lists246, 248, 250 may comprise allowed values for particular virtualmachines Such lists may be conceptually thought of as “white” lists.Alternatively, lists 246, 248, 250 may comprise disallowed values forparticular virtual machines Such lists may be conceptually thought of as“black” lists. In an example where lists 246, 248, 250 identify allowedvalues, virtual machine 110 may write or transmit such content withoutrequiring virtual machine 110 to exit core 104. In the example, as lists246, 248, 250 identify allowed content, virtual machine 110 need notexit core 104 and, for example, execute virtual machine manager 120 todetermine whether virtual machine 110 may access the permissibleaddresses. Allowed or disallowed values may also be programmed into thecomparator itself, for example by arranging a finite state automata toimplement an Aho-Corasick string matching state machine or byimplementing an FPGA look up table.

Exit analyzer 106 may include a block portion retriever 226. Blockportion retriever 226 may be hardware configured to use block portion ID263 to fetch a subset of values identified by data block identifier 256of instruction 252. In examples where modified request 122 relates tothe values identified by block portion ID 263 matching allowed values inone of lists 246, 248, 250, exit analyzer 106 may generate exitindicator 112 indicating that an exit from core 104 is not necessary.Exit analyzer 106 may send exit indicator 112 to virtual machine handler114. Virtual machine handler 114 may then allow virtual machine 110 toexecute request 108.

In an example where request 108 relates to port “7”, virtual machineexit check table 118 may identify FSA 234 as an appropriate comparator.In the example, values identified by block portion ID 263 may not matchallowed values in list 246. Accordingly, exit analyzer 106 may generateexit indicator 112 indicating that an exit is necessary. Exit analyzer106 may send exit indicator 112 to virtual machine handler 114. Virtualmachine handler 114 may then instruct virtual machine 110 to exit core104.

In another example, a virtual machine may be related to instructionsused in data loss prevention. As part of the data loss prevention, avirtual machine may exchange data with other safe, known virtualmachines For example, the other safe virtual machines may be in the sameserver rack or may even be executed on the same hardware. The virtualmachine manager may set up hardware finite automata to compare networkaddresses with a white list of network addresses. The virtual machineexecution control table may be set to I/O exit with checking for networkcommunication. The virtual machine exit check table may be populated toinclude port ranges and respective hardware finite automata programmedto compare the network addresses. The hardware finite automata may bepopulated with a white list of network addresses.

A virtual machine related to the data loss prevention may beginexecuting on a processor core. The virtual machine may generate arequest to send a network message over a requested port. The virtualmachine handler may trap the request and determine that the requestrelates to an output through a port. As I/O exit with checking isenabled in the virtual machine execution control table, the virtualmachine handler may analyze the virtual machine exit check table. Theanalysis of the virtual machine exit check table may indicate that forthe requested port, a particular hardware finite automata engine isindicated. Further, for the requested port, the block portion ID of theinstruction is identified. The particular hardware finite automata maycompare the values identified by the block portion ID with a white listand produce the exit indicator in response.

Among other possible benefits, a system in accordance with thedisclosure may reduce the number of virtual machine exits in a computingenvironment. This reduction may in turn, reduce transitional latency.For example, some virtual machine exits may be avoided. A calculation todetermine whether an exit is needed may be performed in 30 to 40 clockcycles—in contrast to potentially 5000 clock cycles to: exit a virtualmachine, load a virtual machine manager, exit a virtual machine manager,and reload a virtual machine Additionally, power consumption may bereduced due to fewer virtual machine exits from the core.

FIG. 3 depicts a flow diagram for example processes to implement avirtual machine exit analyzer arranged in accordance with at least someembodiments described herein. In some examples, the process in FIG. 3could be implemented using system 100 discussed above and could be usedto determine whether a virtual machine should exit a core. An exampleprocess may include one or more operations, actions, or functions asillustrated by one or more of blocks S2, S4, S6 and/or S8. Althoughillustrated as discrete blocks, various blocks may be divided intoadditional blocks, combined into fewer blocks, or eliminated, dependingon the desired implementation.

Processing may begin at block S2, “Receive a request by a virtualmachine handler that includes an instruction, wherein the instructionincludes a port and a data block identifier.” At block S2, the virtualmachine handler may receive a request that may include an instruction,wherein the instruction may include a port and a data block identifier.In an example, a request may relate to an instruction and may be storedin a buffer.

Processing may continue from block S2 to block S4, “Generate a modifiedrequest, where the modified request includes the port, a block portionidentifier and an identification of a comparator.” At block S4, amodified request may be generated. The modified request may include theport, a block portion identifier and an identification of a comparator.In an example, the block portion identifier may indicate a location ofvalues identified by the block portion identifier based on offset and abyte count. In a further example, generating the modified request mayinclude analyzing a table to identify the comparator associated with theport. In another example, generating the modified request may includeanalyzing a table to identify the block portion identifier. The blockportion identifier may identify a location in a memory where a subset ofvalues identified by the data block identifier may be located. In afurther example, the subset of values may be fetched from the locationand provided to the comparator.

The comparator may be associated with a memory address. A hardwarefinite automata engine may be programmed to function as the comparator.Generating the modified request may include analyzing a table toidentify the comparator associated with the port and to identify a blockportion identifier. The block portion identifier may identify a locationin a memory where a subset of values identified by the data blockidentifier is located.

Processing may continue from block S4 to block S6, “Send valuesidentified by the block portion identifier to the comparator.” At blockS6, the values identified by the block portion identifier may be sent tothe comparator.

Processing may continue from block S6 to block S8, “Receive an exitindicator from the comparator that indicates whether the virtual machineshould exit the core.” At block S8, an exit indicator may be receivedfrom the comparator. The exit indicator may indicate whether the virtualmachine should exit the core. The exit indicator may be a Boolean value.In an example where the exit indicator indicates that the virtualmachine should not exit the core, the virtual machine may be allowed toexecute the request.

FIG. 4 illustrates an example computer program product 400 that can beutilized to implement a virtual machine exit analyzer arranged inaccordance with at least some embodiments described herein. Programproduct 400 may include a signal bearing medium 402. Signal bearingmedium 402 may include one or more instructions 404 that, when executedby, for example, a processor, may provide the functionality describedabove with respect to FIGS. 1-3. Thus, for example, referring to system100, virtual machine handler 114 may undertake one or more of the blocksshown in FIG. 4 in response to instructions 404 conveyed to the system100 by medium 402.

In some implementations, signal bearing medium 402 may encompass acomputer-readable medium 406, such as, but not limited to, a hard diskdrive, a Compact Disc (CD), a Digital Video Disk (DVD), a digital tape,memory, etc. In some implementations, signal bearing medium 402 mayencompass a recordable medium 408, such as, but not limited to, memory,read/write (R/W) CDs, R/W DVDs, etc. In some implementations, signalbearing medium 402 may encompass a communications medium 410, such as,but not limited to, a digital and/or an analog communication medium(e.g., a fiber optic cable, a waveguide, a wired communications link, awireless communication link, etc.). Thus, for example, program product400 may be conveyed to one or more modules of the system 100 by an RFsignal bearing medium 402, where the signal bearing medium 402 isconveyed by a wireless communications medium 410 (e.g., a wirelesscommunications medium conforming with the IEEE 802.11 standard).

FIG. 5 is a block diagram illustrating an example computing device 500that is arranged to implement a virtual machine exit analyzer inaccordance with at least some embodiments described herein. In a verybasic configuration 502, computing device 500 typically includes one ormore processors 504 and a system memory 506. A memory bus 508 may beused for communicating between processor 504 and system memory 506.

Depending on the desired configuration, processor 504 may be of any typeincluding but not limited to a microprocessor (μP), a microcontroller(μC), a digital signal processor (DSP), or any combination thereof.Processor 504 may include one more levels of caching, such as a levelone cache 510 and a level two cache 512, a processor core 514, andregisters 516. An example processor core 514 may include virtual machinehandler 114 an arithmetic logic unit (ALU), a floating point unit (FPU),a digital signal processing core (DSP Core), or any combination thereofAn example memory controller 518 may also be used with processor 504, orin some implementations memory controller 518 may be an internal part ofprocessor 504.

Depending on the desired configuration, system memory 506 may be of anytype including but not limited to volatile memory (such as RAM),non-volatile memory (such as ROM, flash memory, etc.) or any combinationthereof System memory 506 may include an operating system 520, one ormore applications 522, one or more programmable circuits 566 and programdata 524. Application 522 may include a virtual machine exit analyzeralgorithm 526 that is arranged to perform the functions as describedherein including those described with respect to system 100 of FIGS.1-4. Program data 524 may include virtual machine exit analyzer data 528that may be useful to implement a virtual machine exit analyzer as isdescribed herein. In some embodiments, application 522 may be arrangedto operate with program data 524 on operating system 520 such that avirtual machine exit analyzer may be provided. This described basicconfiguration 502 is illustrated in FIG. 5 by those components withinthe inner dashed line.

Computing device 500 may have additional features or functionality, andadditional interfaces to facilitate communications between basicconfiguration 502 and any required devices and interfaces. For example,a bus/interface controller 530 may be used to facilitate communicationsbetween basic configuration 502 and one or more data storage devices 532via a storage interface bus 534. Data storage devices 532 may beremovable storage devices 536, non-removable storage devices 538, or acombination thereof Examples of removable storage and non-removablestorage devices include magnetic disk devices such as flexible diskdrives and hard-disk drives (HDD), optical disk drives such as compactdisk (CD) drives or digital versatile disk (DVD) drives, solid statedrives (SSD), and tape drives to name a few. Example computer storagemedia may include volatile and nonvolatile, removable and non-removablemedia implemented in any method or technology for storage ofinformation, such as computer readable instructions, data structures,program modules, or other data.

System memory 506, removable storage devices 536 and non-removablestorage devices 538 are examples of computer storage media. Computerstorage media includes, but is not limited to, RAM, ROM, EEPROM, flashmemory or other memory technology, CD-ROM, digital versatile disks (DVD)or other optical storage, magnetic cassettes, magnetic tape, magneticdisk storage or other magnetic storage devices, or any other mediumwhich may be used to store the desired information and which may beaccessed by computing device 500. Any such computer storage media may bepart of computing device 500.

Computing device 500 may also include an interface bus 540 forfacilitating communication from various interface devices (e.g., outputdevices 542, peripheral interfaces 544, and communication devices 546)to basic configuration 502 via bus/interface controller 530. Exampleoutput devices 542 include a graphics processing unit 548 and an audioprocessing unit 550, which may be configured to communicate to variousexternal devices such as a display or speakers via one or more A/V ports552. Example peripheral interfaces 544 include a serial interfacecontroller 554 or a parallel interface controller 556, which may beconfigured to communicate with external devices such as input devices(e.g., keyboard, mouse, pen, voice input device, touch input device,etc.) or other peripheral devices (e.g., printer, scanner, etc.) via oneor more I/O ports 558. An example communication device 546 includes anetwork controller 560, which may be arranged to facilitatecommunications with one or more other computing devices 562 over anetwork communication link via one or more communication ports 564.

The network communication link may be one example of a communicationmedia. Communication media may typically be embodied by computerreadable instructions, data structures, program modules, or other datain a modulated data signal, such as a carrier wave or other transportmechanism, and may include any information delivery media. A “modulateddata signal” may be a signal that has one or more of its characteristicsset or changed in such a manner as to encode information in the signal.By way of example, and not limitation, communication media may includewired media such as a wired network or direct-wired connection, andwireless media such as acoustic, radio frequency (RF), microwave,infrared (IR) and other wireless media. The term computer readable mediaas used herein may include both storage media and communication media.

Computing device 500 may be implemented as a portion of a small-formfactor portable (or mobile) electronic device such as a cell phone, apersonal data assistant (PDA), a personal media player device, awireless web-watch device, a personal headset device, an applicationspecific device, or a hybrid device that include any of the abovefunctions. Computing device 500 may also be implemented as a personalcomputer including both laptop computer and non-laptop computerconfigurations.

The present disclosure is not to be limited in terms of the particularembodiments described in this application, which are intended asillustrations of various aspects. Many modifications and variations canbe made without departing from its spirit and scope, as will be apparentto those skilled in the art. Functionally equivalent methods andapparatuses within the scope of the disclosure, in addition to thoseenumerated herein, will be apparent to those skilled in the art from theforegoing descriptions. Such modifications and variations are intendedto fall within the scope of the appended claims. The present disclosureis to be limited only by the terms of the appended claims, along withthe full scope of equivalents to which such claims are entitled. It isto be understood that this disclosure is not limited to particularmethods, reagents, compounds compositions or biological systems, whichcan, of course, vary. It is also to be understood that the terminologyused herein is for the purpose of describing particular embodimentsonly, and is not intended to be limiting.

With respect to the use of substantially any plural and/or singularterms herein, those having skill in the art can translate from theplural to the singular and/or from the singular to the plural as isappropriate to the context and/or application. The varioussingular/plural permutations may be expressly set forth herein for sakeof clarity.

It will be understood by those within the art that, in general, termsused herein, and especially in the appended claims (e.g., bodies of theappended claims) are generally intended as “open” terms (e.g., the term“including” should be interpreted as “including but not limited to,” theterm “having” should be interpreted as “having at least,” the term“includes” should be interpreted as “includes but is not limited to,”etc.). It will be further understood by those within the art that if aspecific number of an introduced claim recitation is intended, such anintent will be explicitly recited in the claim, and in the absence ofsuch recitation no such intent is present. For example, as an aid tounderstanding, the following appended claims may contain usage of theintroductory phrases “at least one” and “one or more” to introduce claimrecitations. However, the use of such phrases should not be construed toimply that the introduction of a claim recitation by the indefinitearticles “a” or “an” limits any particular claim containing suchintroduced claim recitation to embodiments containing only one suchrecitation, even when the same claim includes the introductory phrases“one or more” or “at least one” and indefinite articles such as “a” or“an” (e.g., “a” and/or “an” should be interpreted to mean “at least one”or “one or more”); the same holds true for the use of definite articlesused to introduce claim recitations. In addition, even if a specificnumber of an introduced claim recitation is explicitly recited, thoseskilled in the art will recognize that such recitation should beinterpreted to mean at least the recited number (e.g., the barerecitation of “two recitations,” without other modifiers, means at leasttwo recitations, or two or more recitations). Furthermore, in thoseinstances where a convention analogous to “at least one of A, B, and C,etc.” is used, in general such a construction is intended in the senseone having skill in the art would understand the convention (e.g., “asystem having at least one of A, B, and C” would include but not belimited to systems that have A alone, B alone, C alone, A and Btogether, A and C together, B and C together, and/or A, B, and Ctogether, etc.). In those instances where a convention analogous to “atleast one of A, B, or C, etc.” is used, in general such a constructionis intended in the sense one having skill in the art would understandthe convention (e.g., “a system having at least one of A, B, or C” wouldinclude but not be limited to systems that have A alone, B alone, Calone, A and B together, A and C together, B and C together, and/or A,B, and C together, etc.). It will be further understood by those withinthe art that virtually any disjunctive word and/or phrase presenting twoor more alternative terms, whether in the description, claims, ordrawings, should be understood to contemplate the possibilities ofincluding one of the terms, either of the terms, or both terms. Forexample, the phrase “A or B” will be understood to include thepossibilities of “A” or “B” or “A and B.”

In addition, where features or aspects of the disclosure are describedin terms of Markush groups, those skilled in the art will recognize thatthe disclosure is also thereby described in terms of any individualmember or subgroup of members of the Markush group.

As will be understood by one skilled in the art, for any and allpurposes, such as in terms of providing a written description, allranges disclosed herein also encompass any and all possible subrangesand combinations of subranges thereof Any listed range can be easilyrecognized as sufficiently describing and enabling the same range beingbroken down into at least equal halves, thirds, quarters, fifths,tenths, etc. As a non-limiting example, each range discussed herein canbe readily broken down into a lower third, middle third and upper third,etc. As will also be understood by one skilled in the art all languagesuch as “up to,” “at least,” “greater than,” “less than,” and the likeinclude the number recited and refer to ranges which can be subsequentlybroken down into subranges as discussed above. Finally, as will beunderstood by one skilled in the art, a range includes each individualmember. Thus, for example, a group having 1-3 cells refers to groupshaving 1, 2, or 3 cells. Similarly, a group having 1-5 cells refers togroups having 1, 2, 3, 4, or 5 cells, and so forth.

While various aspects and embodiments have been disclosed herein, otheraspects and embodiments will be apparent to those skilled in the art.The various aspects and embodiments disclosed herein are for purposes ofillustration and are not intended to be limiting, with the true scopeand spirit being indicated by the following claims.

1. A method to determine whether a virtual machine should exit a core,the method comprising: receiving an initial request that includes aninstruction to receive data at, or output data from, a port of aprocessor, wherein the instruction includes an identification of theport and a data block identifier; generating a modified request from theinitial request, where the modified request includes the identificationof the port, a block portion identifier, and an identification of acomparator; sending values identified by the block portion identifier tothe comparator; and receiving an exit indicator from the comparator inresponse to sending the values identified by the block portionidentifier, wherein the exit indicator indicates whether the virtualmachine should exit the core.
 2. The method of claim 1, whereinreceiving the exit indicator includes receiving an exit indicator thatincludes a Boolean value.
 3. The method of claim 1, wherein the blockportion identifier includes an offset and a byte count.
 4. The method ofclaim 1, wherein generating the modified request includes analyzing atable to identify the comparator, which is associated with the port. 5.The method of claim 1, wherein generating the modified request includesanalyzing a table to identify the block portion identifier, wherein theblock portion identifier identifies a location in a memory where thevalues are located.
 6. The method of claim 1, wherein generating themodified request includes analyzing a table to identify the comparator,which is associated with the port, and to identify the block portionidentifier, wherein the block portion identifier identifies a locationin a memory where the values are located.
 7. The method of claim 1,further comprising storing the instruction in a buffer.
 8. The method ofclaim 1, further comprising allowing the virtual machine to execute therequest in response to the exit indicator indicating that an exit of thevirtual machine from the core is unnecessary.
 9. A method to determinewhether a virtual machine should exit a core, the method comprising, bya processor: receiving an initial request at a virtual machine handlerof the processor, wherein the initial request includes an instruction toreceive data at, or output data from, a port of the processor, andwherein the instruction includes an identification of the port and adata block identifier; generating, by the virtual machine handler of theprocessor, a modified request from the initial request, where themodified request includes the identification of the port, a blockportion identifier and an identification of a comparator of theprocessor; and sending, by the virtual machine handler of the processor,values identified by the block portion identifier to the comparator ofthe processor; comparing, by the comparator of the processor, the valuesidentified by the block portion identifier with a list of allowedvalues; generating, by the comparator of the processor, an exitindicator, based on the comparison, that indicates an exit of thevirtual machine from the core is unnecessary if the values identified bythe block portion identifier matches the allowed values; and sending, bythe comparator of the processor, the exit indicator to the virtualmachine handler of the processor; and receiving, by the virtual machinehandler of the processor, the exit indicator from the comparator of theprocessor.
 10. The method of claim 9, wherein: the comparator isassociated with a memory address; and the list is stored at the memoryaddress.
 11. The method of claim 9, wherein a hardware finite automataengine operates as the comparator, and the hardware finite automataengine includes the list, the method further comprising, prior toreceiving the initial request: associating a memory address with thehardware finite automata engine.
 12. The method of claim 9, whereingenerating the exit indicator includes generating an exit indicator thatincludes a Boolean value.
 13. The method of claim 9, wherein generatingthe modified request includes analyzing a table to identify thecomparator, which is associated with the port, and to identify the blockportion identifier, wherein the block portion identifier identifies alocation in a memory where the values are located.
 14. The method ofclaim 9, further comprising: storing the instruction in a buffer;wherein generating the modified request includes analyzing a table toidentify the comparator, which is associated with the port, and toidentify the block portion identifier, wherein the block portionidentifier identifies a location in a memory where the values arelocated; and the method further comprises: fetching a subset of valuesidentified by the data block identifier from the location; and providingthe subset of values to the comparator.
 15. The method of claim 9,further comprising allowing, by the virtual machine handler, the virtualmachine to execute the request.
 16. A processor, comprising: a virtualmachine handler; a core configured to be in communication with thevirtual machine handler, the core effective to execute a virtualmachine; a buffer; and a comparator configured to be in communicationwith the virtual machine handler; the virtual machine handler beingconfigured to: receive an initial request that relates to an instructionto receive data at, or output data from, a port of the processor,wherein the instruction includes an identification of the port and adata block identifier; store the instruction in the buffer; generate amodified request from the initial request, where the modified requestincludes the identification of the port, a block portion identifier andan identification of the comparator; send values identified by the blockportion identifier to the comparator; and the comparator beingconfigured to: generate an exit indicator that indicates whether thevirtual machine should exit the core; and send the exit indicator to thevirtual machine handler; the virtual machine handler is furtherconfigured to receive the exit indicator from the comparator.
 17. Theprocessor of claim 16, wherein the comparator is further configured to:compare the values identified by the block portion identifier with alist of allowed values; wherein the exit indicator indicates an exit ofthe virtual machine from the core is unnecessary if the valuesidentified by the block portion identifier matches at least one of theallowed values.
 18. The processor of claim 17, wherein the virtualmachine handler is further configured to allow the virtual machine toexecute the request.
 19. The processor of claim 16, wherein thecomparator is further configured to: compare the values identified bythe block portion identifier with a list of allowed values; wherein theexit indicator indicates the virtual machine should exit the core ifthere is a mismatch between the values identified by the block portionidentifier with any of the allowed values.
 20. The processor of claim19, wherein the virtual machine handler is effective to instruct thevirtual machine to exit the core.
 21. A method for a virtual machinemanager to control a virtualization hardware to determine whether avirtual machine should exit a core, the method comprising: sending, bythe virtual machine manager, an initial request to a virtual machinehandler, wherein the initial request relates to an instruction toreceive data at, or output data from, a port of a processor, wherein theinstruction includes an identification of the port and a data blockidentifier; controlling, by the virtual machine manager, the virtualmachine handler to generate a modified request from the initial request,wherein the modified request includes the identification of the port, ablock portion identifier, and an identification of a comparator;controlling, by the virtual machine manager, the virtual machine handlerto send values identified by the block portion identifier to thecomparator; identifying, by the virtual machine manager, receipt of anexit indicator by the virtual machine handler from the comparator inresponse to the instruction to send the values identified by the blockportion identifier, wherein the exit indicator indicates whether thevirtual machine should exit the core; and controlling, by the virtualmachine manager, the virtual machine handler to determine whether thevirtual machine should exit the core based on the exit indicator. 22.The method of claim 21, wherein: the comparator is associated with amemory address; and the list is stored at the memory address.
 23. Themethod of claim 21, wherein a hardware finite automata engine isconfigured as the comparator, and the hardware finite automata engineincludes the list, the method further comprising associating, by thevirtual machine manager, a memory address with the hardware finiteautomata engine.